CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-25828 – Authenticate Remote Code Execution in Pluck CMS
https://notcve.org/view.php?id=CVE-2023-25828
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its “albums” module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which undergo a normalization process before being available on the site. Due to lack of file extension validation, it is possible to upload a crafted JPEG payload containing an embedded PHP web-shell. An attacker may navigate to it directly to achieve RCE on the underlying web server. • https://www.synopsys.com/blogs/software-security/pluck-cms-vulnerability • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18198
https://notcve.org/view.php?id=CVE-2020-18198
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images." Una vulnerabilidad de tipo Cross Site Request Forgery (CSRF) en Pluck CMS versión v4.7.9, permite a atacantes remotos ejecutar código arbitrario y eliminar imágenes específicas por medio del componente "/admin.php?action=images" • https://github.com/pluck-cms/pluck/issues/69 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18195
https://notcve.org/view.php?id=CVE-2020-18195
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page." Una vulnerabilidad de tipo Cross Site Request Forgery (CSRF) en Pluck CMS versión v4.7.9, permite a atacantes remotos ejecutar código arbitrario y eliminar un artículo específico por medio del componente "/admin.php?action=page" • https://github.com/pluck-cms/pluck/issues/69 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 6CVE-2020-29607 – Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-29607
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution. Una vulnerabilidad de omisión de restricción de carga de archivos en Pluck CMS versiones anteriores a 4.7.13, permite a un usuario con privilegios de administrador conseguir acceso en el host por medio de la funcionalidad "manage files", lo que puede resultar en una ejecución de código remota Pluck CMS version 4.7.13 suffers from a remote shell upload vulnerability. • https://www.exploit-db.com/exploits/49909 https://github.com/0xAbbarhSF/CVE-2020-29607 https://github.com/0xN7y/CVE-2020-29607 http://packetstormsecurity.com/files/162785/Pluck-CMS-4.7.13-Remote-Shell-Upload.html https://github.com/Hacker5preme/Exploits/tree/main/CVE-2020-29607-Exploit https://github.com/pluck-cms/pluck/issues/96 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-9050
https://notcve.org/view.php?id=CVE-2019-9050
An issue was discovered in Pluck 4.7.9-dev1. It allows administrators to execute arbitrary code by using action=installmodule to upload a ZIP archive, which is then extracted and executed. Se ha descubierto un problema en Pluck 4.7.9-dev1. Permite que los administradores ejecuten código arbitrario utilizando action=installmodule para subir un archivo ZIP, que se extrae y ejecuta. • https://github.com/pluck-cms/pluck/issues/70 • CWE-434: Unrestricted Upload of File with Dangerous Type •